Full Report
The China-based actor behind the Warlock ransomware may not be a new player and has links to malicious activity dating as far back as 2019.
Analysis Summary
# Threat Actor: Storm-2603 (Associated with Warlock Ransomware)
## Attribution & Identity
* **Primary Attribution:** China-based actor.
* **Known Aliases/Associations:** Storm-2603 (internal designation by Microsoft), CL-CRI-1040 (Palo Alto Unit 42 designation). Linked to the deployment of Warlock Ransomware.
* **Related APTs (Contextual Link):** Mentioned alongside Budworm (Linen Typhoon, APT27) and Sheathminer (Violet Typhoon, APT31) in exploiting the ToolShell vulnerability, suggesting a milieu of Chinese state-linked or closely associated actors.
* **Motivation:** Cybercrime appears to be a core activity, contrasting with pure espionage, evidenced by the deployment of multiple ransomware payloads.
## Activity Summary
* The actor gained prominence by exploiting the **ToolShell zero-day vulnerability (CVE-2025-553770) in Microsoft SharePoint** starting around July 19, 2025.
* The actor is responsible for deploying the **Warlock Ransomware** payload, first observed in June 2025.
* The group has a history of using multiple ransomware payloads and sometimes bundling them together, including LockBit. They have also been identified as a **LockBit 3.0 affiliate**.
* Activity dates back to at least 2019, linking them to older operations, potentially linked to the Anylock ransomware payload.
* Recent activity (August 2025) targeted an **engineering company in the Middle East** using Warlock.
## Tactics, Techniques & Procedures
* **Initial Access/Exploitation:** Exploitation of the **ToolShell zero-day vulnerability (CVE-2025-553770)** in on-premises SharePoint.
* **Code Execution & Deployment:** Extensive use of **DLL sideloading** (a tactic popular among Chinese groups).
* Specifically observed using the legitimate application **7zip (7z.exe) to sideload a malicious loader named 7z.dll**.
* **Defense Evasion/Persistence:**
* Used a custom defense evasion tool signed with a stolen digital certificate (from "coolschool").
* Employed the **Bring Your Own Vulnerable Driver (BYOVD)** technique using an old, expired Baidu anti-virus driver (SHA256: f6ee01303cf1d68015eee49f7dc7f26151a04ae642a47e49c70806931ce652d3) to disable security software.
* **Payloads:** Deployed Warlock, LockBit, and potentially the precursor payload Anylock.
* **C2 Framework:** Use of a custom C&C framework referred to as **ak47c2** (or related to the Project AK47 toolkit).
* **MITRE ATT&CK IDs (Inferred/Mentioned Techniques):** DLL Sideloading, BYOVD.
## Targeting
* **Sectors:** Engineering (at least one observed victim).
* **Geography:** Global scope suggested by ToolShell exploitation, but one specific victim mentioned in the Middle East. Links to actors based in China.
* **Victims:** An engineering company in the Middle East (August 2025); a **U.S. firm** (August 2025).
## Tools & Infrastructure
* **Malware Families Used:** Warlock Ransomware, LockBit 3.0, AK47/Anylock payload, Curl Backdoor.
* **Infrastructure (C2/Other):**
* Custom C&C framework: **ak47c2**.
* Malicious DLLs: **7z.dll** (Loader).
* Vulnerable Driver Used for BYOVD: Old Baidu anti-virus driver.
* Ransomware Site: Mentioned using a site named **Warlock Client**.
* **Indicators of Compromise (IOCs - Hashes provided):**
* Loaders (7z.dll): 9d52af33c05ea80f9bc47404b02ace4e16203dd81aef9021924885a6bff1d3c1, 15649e4d246fe6d03dc75ecb4cabe5d1f8723519ed8dd3176e1a97325e827daf
* Backdoor: 24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf (Curl Backdoor)
* Vulnerable Driver: f6ee01303cf1d68015eee49f7dc7f26151a04ae642a47e49c70806931ce652d3
* Warlock Payload: ca2c02f592d72cafc218f4edd1ea771f8d1458cb95c2c76c3e384e63cefd1fb6, 6feb5361fd3abd3a7a733c30bfcc2b58fc774ac6aa91a468ce2e31dcffc9d4de
## Implications
The actor represents a convergence of state-linked tactics (advanced supply chain/vulnerability exploitation, DLL sideloading, signed malicious binaries via BYOVD) and cybercriminal aims (ransomware deployment). Warlock represents a potential rebrand or evolution of the Anylock payload, possibly linked to the retired Black Basta operation, indicating a flexible and persistent adversary that shifts branding to maintain operational security or exploit market awareness.
## Mitigations
* Prioritize patching of vulnerabilities, specifically **CVE-2025-553770 (ToolShell) in Microsoft SharePoint**.
* Implement robust detection and prevention for the **DLL Sideloading** technique (e.g., monitoring execution chains involving legitimate binaries like 7z.exe spawning unusual processes or loading unsigned/malicious DLLs).
* Monitor for the use of **BYOVD techniques**, especially involving known vulnerable drivers or those signed with suspicious certificates, to disable endpoint security controls.
* Implement enhanced behavioral monitoring for known Warlock/Anylock file indicators mentioned in the IOC list.